In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software.
Update, 5:39 p.m. ET: In an apparent reversal, Microsoft now says it will be re-instating the security notifications via email. Please read the update at the end of this post.
Original story:
Last week, Microsoft sent the following notice to IT professionals and others who have signed up to receive email notices of security updates:
“As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:”
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins
“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.”
“For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948.”
Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014.
Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making.
Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL contains carve-outs for warranty and product safety and security alerts that would more than adequately exempt the Microsoft missives from the regulation.
Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.”
“I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision,” Schwartzman said,” noting that Microsoft was closely involved in the discussions in the Canadian parliament over the bill’s trajectory and content. “This is the first company I know of that’s been that dumb.”
Schwartzman said many companies have used CASL as an excuse to freshen up their email lists and to re-engage their customers. Some have even gone so far as to enter respondents who verify that they still want to receive email communications from a company into drawings for cash prizes and other giveaways.
“Over the past couple of weeks, I’ve seen nothing but a steady stream of reconfirmation mails from various companies,” he said. “I’m now in the running for several $500 dollar gift certificates because I confirmed my email. And at the bottom of each of these messages is a note that says ‘please ignore this offer if you’re not Canadian.'”
CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, chalked Microsoft’s decision up to a little more than a tough call.
“I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info,” Williams said. “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”
In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft. And of course, readers can continue to rely on KrebsOnSecurity to feature information on any new security updates available from Microsoft, including each Patch Tuesday bundle as well as emergency, “out-of-band” updates released to address zero-day security threats.
Update, 5:40 p.m. ET: In an apparent reversal of its decision, Microsoft now says it will be re-starting its security notifications via email early next month. From a Microsoft’s spokesperson: “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”
And not one real spammer will be deterred
As a Canadian computer professional, I’m unhappy about the move by MS to discontinue email updates for security issues and move to RSS. I find RSS to be not as simple as promised – and emails land in my Inbox automatically. With RSS I have to go to a webpage or agreggator to get security update news.
Thunderbird lets you subscribe to RSS and see it like email.
– https://support.mozilla.org/en-US/kb/how-subscribe-news-feeds-and-blogs
So does Outlook:
2007 – http://office.microsoft.com/en-us/outlook-help/add-an-rss-feed-HA010159539.aspx
2010 – http://office.microsoft.com/en-us/outlook-help/subscribe-to-an-rss-feed-HA010355679.aspx
2013 – http://office.microsoft.com/en-us/outlook-help/subscribe-to-an-rss-feed-HA102749404.aspx
Except by design with security in mind, my org’s email (or Desktop PC) doesn’t have direct Internet access. We run brower-based Internet access in a VDI hosted on servers in DMZ to contain threats. We really don’t want to run another set of VDI instances just to get RSS feeds into Outlook.
you are a computer professional and are upset by the use of RSS? you probably work for microsoft. every professional uses RSS / ATOM feeds everyday.
This sounds like a bad idea all around.
Yes because the people spamming links to illegal pharmacy always obey the law
See !
Threats of attacking a company’s bottom line – profit works. Now if the US “covertment” can grow a set and get their act together in regards to breaches and non-compliance, setting the same fine levels – You betcha they either comply or go broke.
If Microsoft balks and knee-jerks at something like this, many other agencies would definately readjust their outlook on security.
I am so freaking tired of hearing ‘Oh, dang, we got hacked and fell victim as well” – as if its trendy for people to get hacked for free publicity. Want publicity? Go to Hollywood – or Dollywood and marry a hottie and then divorce each other for no good reason other than “breaking news”.
Blah.
I’m pretty sure it is easier and cheaper for MS to allow interested partied to “pull” information using RSS than it is to manage an email list with a gazillion subscribers. This may be something they’ve wanted to do for a while.
Bingo. This provides a handy excuse to do what they must have wanted to do anyway, because no other explanation is logical.
This real s*cks , I am dependent of getting those emails every month!
Surface
Windows RT
VDA licensing
metro UI
The missing start menu
and not this….
Did they make weed legal in Redmond or something?
Microsoft has been in a tailspin ever since Bill Gates left. The CEO may have changed but obviously the company continues to be made up of dumbasses still. This is more about optics than anything else. If it is about a cost issue then there is a right way to go about doing it. Whoever is responsible for this decision should be fired, and a clear message should be sent to all employees that the old way of functioning is over. Only then will Microsoft have any hope of recovering. Until then the like of Apple and Google will eat their lunch.
> Did they make weed legal in Redmond or something?
Yes, but don’t go looking outside Microsoft for help. It’s legal statewide.
Weed is legal in Washington State. Except there is no legal place to purchase it yet. Of course it’s been easier to buy weed here than alcohol.
Personally, I like the law. Many companies don’t send a confirmation email with a randomly generated token to ensure that the person who controls for email address was the person who entered the email address into a form.
In three years, I’ll be able to sue these incompatible companies for $ 200 / message (up to 5,000 messages) per day.
Companies I’d like money from include:
Facebook
Groupon
LinkedIn
Square
Match
Monroe and Main
PurePlay (I have no is who they are and don’t want to know, but I will happily seek reimbursement from them using the Private Action portion of the legislation)
Microsoft (Skype) – but based on this I expect them to stop spamming me!
Ronald Reagan Presidential Library (OK, this isn’t a company, but I’ve tried to reason with them and that failed)
Users should not be encouraged to click random links in unsolicited email messages. That’s an invitation to being attacked by a browser exploit leading to malware / a botnet.
Private Right of Action is here:
http://laws-lois.justice.gc.ca/eng/acts/E-1.6/page-14.html
actually the PROA is held in abeyance until 2017.
Yes, I said “in three years” in the parent comment.
And that is exactly why companies like Microsoft will bow out of serving Canadian customers. None of the major companies you listed are spamming you – you almost certainly provided consent at some point. As a company whose business has a heavy newsletter component, we get numerous complaints from individuals saying they never signed up for our list (though we have a 100% explicit opt-in list and NEVER spam).
With the new Canadian law, we will now be faced with the prospect of individuals (like you) having the right to sue us for damages because you forgot you signed up for an email and either paying the extensive legal costs to defend those frivolous suits or being forced to settle each one (which we would likely do because the cost is so much lower).
And while Canada becomes the capital of frivolous email lawsuits against legitimate companies, the real spammers will continue on in all their anonymous glory.
I completely disagree that people ‘forget’ that they have signed up for the email. I have been receiving email that other people signed me up for, for years. I get someone’s Sprint bill, I get someone else’s On Star monthly information, I used to get scripts, I would also receive Frat Mom info emails.
It is very obvious to me that these companies do not require affirmative action to add emails to a list or I would not be getting these. These emails call me by many names, Michelle, Danielle, David, amongst others. I think the people they are meant for just forget to put the extra numbers or letters that they must have in their email but I would not get their personal info emailed to me if they had to confirm their email.
We track every email signup with a confirmation IP address. When we investigate complaints, that IP address almost always corresponds with the complainer’s location. People just forget.
Most of the other issues you’re describing aren’t spam, they’re simply transcription mistakes for when people sign up for Sprint service in-store or buy a new car and activate OnStar. It’s unclear how the Canadian law would affect these situations since there is will be clear opt-in documentation, someone just screwed up the typing, Also, all of these emails from legitimate companies have an unsubscribe link at the bottom, as already required under CAN-SPAM. These are hardly the types of spam situations the Canadian law is intended to address,
That’s where you’d be wrong. These emails from actual companies sending me actual customer information do not have unsubscribe links. They do have a link to access my “account” but require a password to do so. Obviously I don’t know the password.
Could have been easily solved by requiring confirmation in the first place.
Go to the “account” page. Click “Lost Password.” They’ll mail you a password reset link. Log in to the account, opt out of email (or change the email address to bogus@bogus.com) and change the password to a 28-character random string. Problem solved.
So you are recommending that she hack into people’s accounts? Not a smart move…
Not really. What do you recommend? Spending hours on the phone with their tech support, waiting to fix someone else’s mistake? Changing the password to access the account and change the email will force the rightful owner to contact the tech support themselves and fix things.
And if that link doesn’t exist? I have seen some companies only allow you to change email address and passwords if you have the account number and that is sometimes not contained in the emails they send you.
It is spam if there is no way to get off of them. Quite often from larger companies you cannot change the address or stop emails unless you are the confirmed owner of the account.
I have had this problem in the past: no remove link, no postmaster inbox, no success calling them on the phone. In some cases they don’t even check that the email even delivers.
That’s exactly why I always use a disposable email address when I sign up for any online service. Heck, I’m even using a disposable email address to post this comment. I’ve had to discontinue numerous disposable email addresses over the years that I’ve provided to legitimate organization because their systems were breached, and I started receiving spam and phishing scams.
Thanks Debbie for explaining how we get this unsolicited junk.
As for how I’d expect a company to protect itself, it’s pretty simple:
1. Log the origin of an email address addition request
2. Send (and log) a single email to that address requiring affirmative action – this needs to include a randomly generated token for verification.
3. Do not send any further email messages to that address unless and until:
4. User takes affirmative action based on the email from 2 – providing their email address and the token
5. Log 4.
Competent companies (and modern list serves) already use this process for managing sign ups. Adding logging shouldn’t be a big deal. Incompetent companies don’t require affirmative action and deserve to be fined until they reform.
—
Yes, I do sign up for email with companies, but I don’t use the email address at which I’m receiving the spam, and I don’t give random names.
I’m also on a Sprint / MVNO and had at least one person purchase agreement least one iPhone with my email address listed for the account – that got me an IMEI.
I have I’m still being reminded of laser hair removal in Florida…
You are going to pay instead of having a simple proof of sign-up and confirmation? Really? please do tell me your company name.
Look at the message from Timeless my comment was in response to. My company name could be Facebook, Groupon, or Microsoft. Look at Debbie’s complaint on receiving an email from Sprint because of a mistyped email address as an example of spam. There are legions of people who are all set to sue and ask questions later, and this suit gives them the ability to do that.
No matter how frivolous, any suit or threatened suit requires a legal response (at $300+ per hour), along with the time of researching and documenting each individual case. If the company actually has to go to court to defend itself, that will easily run into the thousands of dollars. Most companies would quickly settle in these circumstances rather than fighting. Which, unfortunately, encourages more people to file frivolous suits.
Except that few companies run opt-in mailing lists, and instead run opt-out mailing lists, and many don’t honor opt-out requests. This legislation appears to force companies to switch to opt-in mailing lists, which insures the individual sending the email is actually the person sending the email.
BTW, in your other response, I noticed you referenced an IP address. Have you ever stopped and considered that thousands of systems can be NAT’d behind a single public IP address? What if, for example, a student thinks its funny to sign up his teachers for mailing lists, and his request goes out – via the school’s network – on the same IP address that the teacher’s request to remove themselves goes out on? These situations happen far often than you think, and rise precipitously when alcohol gets involved. At my last workplace the executive in charge of maintaining the email lists thought that because he stopped getting bounce notices (after nearly everyone stopped sending/receiving bounce notices) that meant all the email addresses – harvested by having drunken idiots type in email addresses in bars – were legally valid to spam with dozens of emails in a week. No attempt at an opt-in system was ever implemented because it wasn’t legally required and the customers (the drunks entering the incorrect addresses) didn’t care.
Dammit. Opt-in insures the individual receiving the email is the individual who requested the email.
All US companies are required to honor opt-out under CAN-SPAM already. And I strongly support only allowing opt-in emails and requiring opt-out compliance.
All this talk of drunk students (we’ve never had an instance of mass sign-ups creating spam complaints) and mistyped email addresses is a red herring. The vast majority of spam (I’ll hazard a guess that means about 99.999% on a volume basis, and that’s probably an underestimate) comes from anonymous senders masked via overseas servers. Since individuals have no means of pursuing these spammers, the individual right to sue clause in Canada will have essentially no effect on the volume of spam. Any “real” companies violating the law, can be pursued by Canadian law enforcement for penalties (as it works here in the States). Balance that against the cost to companies of defending frivolous lawsuits, and the individual pursuit aspect of the law seems highly ill-advised.
And you are 100% correct. The main people hurt by this are companies that must now use the telephone or use regular mail to contact prospects.
Coincidently this may help the failing Canada Post and their union.
This law is an embarrassment and as JK said it will have pretty well zero effect on SPAM.
This sounds to me to either be a convenient way of dumping an expensive delivery channel (30m emails are more expensive than a RSS feed) and blaming it on someone else, OR, someone’s lawyers can’t read. Or both.
If the recipients of these emails had signed up for them, then, there is already explicit consent, and they could have continued sending with no issue whatsoever.
If Microsoft had only been sending them with implicit rather than explicit (in other words, the users _didn’t_ expressly sign up for them contrary to Microsoft’s claim), the new law allows them 3 whole years to gain explicit consent.
Sounds like they are lazy. As a Canadian I have seen most company’s response to this – send a new email asking for their email list clients to opt-in/confirm once again that they want to emailed.
I’ve been getting a few of those a day for a month now and we did it for our own company as well.
” Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision ”
Blame Canada
http://www.youtube.com/watch?v=bOR38552MJA
New video ” Blame Microsoft eh !”
Read the quote in Brian’s article. The Canadian law does not apply to security-related email. Consequently it should not be used as an excuse to terminate security bulletin distribution via email. Microsoft can always use their security bulletin distribution lists to disseminate an opt-in notice even though it is not required by law. There is no “hard decision” to make regarding the Canadian law. Microsoft Security Bulletins fall clearly within the stated exceptions. Microsoft can continue sending their security bulletins via email. Just do it!!!
This is the only place I’ve seen reference to any email service continuing. Is there more specific information on continuing to receive email alerts on Microsoft accounts?
“In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft.”
Microsoft is being entirely reasonable. The law explicitly says “solely”, and one could certainly argue that most Microsoft updates contain some level of promotion, in addition to the actual information. Microsoft has little interest in proactively sending notifications which don’t contain promotional verbiage, and even less interest in fighting inevitable lawsuits alleging that the emails do not contain “solely” security update information. The reasonable and safe course is to just discontinue the emails.
If that’s considered a bad thing, blame the people who made the law. Don’t blame Microsoft for reacting in a prudent business manner to questionable legislation.
You forgot to add your Microsoft employee ID….
No he didn’t post as a MS shill.
There is a non-zero, if unfortunate, risk that a message reiterating the demise of support for Windows XP, and offering recommended purchase paths to replacement products, may be interpreted as “not wholly security content”.
Do you, as a matter of business policy, want to put that decision into the hands of many court jurisdictions, possibly conflicting verdicts, and then pursue resolution through ever higher courts?
MS success has never been primarily technical, somebody else has almost always done it first, or better someplace else. From the first sale of Basic, it has been, an often “good enough” product, with a better marketing strategy than the other guy.
Not being able to put a marketing message in a security announcement, which is one of their most persuasive levers, MS pathologically can’t do that. It isn’t in their corporate DNA.
Notification of the updates is still available (according to the Web site) by signing up for the Microsoft Security Newsletter (I have been receiving it for years), though that generally doesn’t come out until several days after Black Tuesday.
To Nick: There is no promotion of business in the security emails. It’s plain email with a pgp signature. I’m blaming overactive Attorneys at Microsoft who interpreted this law incorrectly.
Meanwhile I’m receiving Apple security emails with no such re-opt in and no such discontinuance of alerts.
“I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”
Déjà vu… A glitch in the matrix, no doubt.
This coming from the company that cloaks sender IP’s making fraudulent emails and harassment email impossible to track with out going through a zillion legal loopholes. Big surprise…
Another example of Bureaucracy gone array. at the end of the day this not going to deter spammers..
Really? Having legal judgements entered against you that can be lead to court-enforced seizure of assets isn’t going to deter anyone?
So because people commit murder we should remove all laws on the book relating to murder?
This argument seems to always center around a minority of lawless individuals who won’t be deterred no matter what legislation is enacted. Because we can’t have 100% enforcement therefore all laws should be abolished. This patently ridiculous argument, sadly, passes as political discourse in parts of the US.
It’s actually the MAJORITY of lawless individuals who won’t be deterred. Unless your spam situation is very different in Canada than it is here in the US, the vast, vast majority of spam comes from overseas spam servers and criminal networks that this law will do little to prevent.
Just had the following after emailing our TAM:
“On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”
Funny though that I got the “please click to continue to receive mail from us” from the MS certificate portal emails yet this one they opted not to (at first) follow the same route. I suppose a company this large has differing divisions and control and uniformity isn’t so easy to control (if desired). Just found that ironic when this hit the press at first (didn’t get a chance to post till now).
What an opportunity for phishers though, I’ve gotten about 40 – 50 requests to renew and half of them I don’t even recognize until I search through my email and junk folders, ha. Wow…They won’t be missed, thanks Canadian Gov’t for this!
I love how all these companies are including promos in their emails to stay with them. One I just got said “Saying good bye shouldn’t be this easy!” in the subject. I thought to myself, “Oh, yes, yes it should!!! Good riddance!”. I couldn’t be bothered to go through the trouble of supposedly unsubscribing from mailing lists and making things worse (I just don’t have the time most times to work through the labyrinth they setup) but spam filters and email filtering on keywords/terms works as good…Ah well. Just made me giggle, that headline, heh. Some of the companies I do want mail from included promos too, so that was cool! 🙂
Say, where is the BK email alert to stay connected…? Hmm… ;oP
“Blame Canada” – did I venture into a Southpark Movie review by mistake?
I do believe all the concepts you have introduced in your post.
They’re really convincing and can certainly work. Nonetheless, the posts are too brief for novices.
May just you please lengthen them a little from subsequent time?
Thanks for the post.
Feel free to visit my web page clash of clans hack no survey mac
Hi there! I could have sworn I’ve visited this blog before
but after going through a few of the posts I realized it’s new to me.
Nonetheless, I’m certainly happy I stumbled
upon it and I’ll be bookmarking it and checking back frequently!
Look at my web site gta v beta